Door Opens On Game Of Cat And Mouse

Sydney Morning Herald

Thursday October 9, 2008

Conrad Walters

FRAUDSTERS require anonymity to stay out of jail, but in the cat-and-mouse world of financial security the good guys often live in the shadows too.

Every credit card company employs analysts to pore over daily transactions and look for suspicious activity.

They rarely discuss their work in public, but with permission from his company and on the condition of anonymity, the top Australian security officer for one international credit card issuer agreed to explain how his team tries to stay ahead of the thieves.

A former inspector in the NSW fraud squad, the analyst has attended university courses in forensic accounting in Australia and overseas. His team operates from a Sydney office with a fingerprint reader at the entrance.

Inside, there are fewer than 12 workstations, with up to three computer screens on each desk to monitor programs that scour millions of transactions for signs of fraud.

The Sydney office is one of several the firm operates around the globe to provide 24-hour protection for its cardholders.

Locally, the company employs thousands of people in a call centre to keep a lookout for fraud.

If a "red-flag transaction" is found - and this happens more than 500 times a month -information is sent to the analyst's team for investigation.

"There's all different things that will trigger an inquiry," the analyst said.

"When you're looking at [credit card] skimming and counterfeiting, you're talking about multiple transactions occurring at the same time on the same account."

Suspicious activity includes transactions that occur in different suburbs, states or countries in a short space of time.

The analyst said criminals were constantly changing their scamming methods, but investigators also changed their tools and strategies constantly.

A couple of skimming devices arrive for investigation each week, he said, some from the company's Asian offices. "The police came to us a few weeks ago with a very old laptop and a handmade skimming device that was wrapped in black electrician's tape."

The device had been attached to the inside of a taxi door so the magnetic stripe on credit cards could be read and recorded out of sight. A criminal case is now proceeding through the courts.

Some scams involved taking data off a credit card and re-encoding it onto another card.

"We've had occasions where we've looked at the mag stripe on the Medicare card and found that it actually contained Joe Bloggs's Visa or Mastercard or Amex information," he said.

Other scams attacked the card-reading terminals in stores. In one case, a SIM card had been planted in the merchant's device so that as a legitimate transaction was processed, the information was sent to criminals overseas, who could then begin a spending spree by using the card details.

That particular case - and the larger problem of hacked store terminals - was tackled within two weeks.

American Express, Visa, Mastercard and Diners Club compete aggressively for customers but not for security.

The analyst said he regularly spoke to his peers at competing credit card companies so they could work together, and he knew the people charged with managing risk at the banks.

"Marketing competition doesn't exist in the fraud world," he said. "The whole idea of my area is to get rid of these people who are attacking financial tools, whether it be credit cards or traveller's cheques or whatever.

"If we can do that with our competitors that's good, because they're not going to attack us as well."

But the battle for supremacy is never ending.

"I'd like to think we're winning," he said. "But I'm also wary enough to realise that every time we think we're on top, the criminals are looking for other ways to attack us."

DONT LET THE BOGEYMAN IN

TEN TIPS TO HELP PROTECT YOUR MACHINE ONLINE

* Only use the internet with fully-updated internet security software.

The AVG anti-virus suite can be downloaded for free at free.avg.com

* Ensure your operating system, anti-virus software and internet browser are set to automatically check for and install updates.

This minimises exposure to backdoor vulnerabilities.

* Don't put any information on public webpages that could be used by a cyber thief to pose as you and access your bank account.

* Don't open attachments from people you don't know, particularly files that have the .exe'' extension.

* Always access your bank's website by typing the address into your browser.

* Never respond to emails purportedly sent from your bank asking you to verify account details especially if there is a hyperlink directing you to a new website. Your bank will never ask you for your password over the internet.

* Use a different password on your internet banking account to the ones used for your email and various website accounts.

* Don't use obvious passwords. They should be at least seven characters long, contain a mixture of letters and numbers and be changed regularly. Your password shouldn't be relevant to your personal situation.

* Only use your credit card at reputable online merchants.

* Don't use a public computer to access online banking or to buy goods via credit card.

© 2008 Sydney Morning Herald

Back to News Index | Back to Home